LuminousVoid

Friendster is the popular social networking website, where one can — with pictures, testimonials and messages — keep up with one’s friends or make new ones. TRUSTe is an industry self-regulator of online privacy practices.

Websites that sign the TRUSTe license get to to post the TRUSTe trademark and have to follow certain guidelines in their privacy practices. These guidelines include disclosure, a few user controls, an internal complaint procedure and an agreement to abide by TRUSTe’s consumer dispute resolution process. I have no idea how good the process is.

Some of Friendster’s actions recently caught my notice — they started allowing Friendster members to see who had viewed one’s profile. They still allowed people to browse anonymously. Now, when you browse anonymously, you also are blind to who has seen your profile. All very interesting experimentation by Friendster. But it made me curious about my anonymity settings and their privacy practices. So I decided to look into it.

Trademark Infringement?

Something is wrong here. Either Friendster is infringing TRUSTe’s mark or TRUSTe has an error in their verification script.

Going to the page which sets your settings, anonymous browsing, and other features, one is displayed with a Friendster Privacy notice on the right hand side (screenshot).

Clicking on that TRUSTe logo there takes us to Friendster’s privacy page, which includes the TRUSTe seal (screenshot).

But, clicking on the button to verify, we get sent to TRUSTe’s site, which tells us that Friendster is not verified (again, click for a screenshot).

Whats going on?

I pressed the TRUSTe button to file a “watchdog complaint.” More people should to so that we can resolve this. If someone as big as Friendster (and so full of personal information — like email addresses, lists of interests, lists of friends and connections) can violate TRUSTe so willy-nilly, then the TRUSTe self regulation system is a bit of a joke. Then again, it could also be a mistake with TRUSTe’s verification system.

A UK labor union is raising the red flag on the dehumanizing effects of ubiquitous, persistent, RFID-based employee tracking. And they don’t just want regulation, but are actually taking action:

The GMB warned supermarkets last month that they face strike action if they continue to “dehumanise” shelf-stackers and warehouse staff by forcing them to use wearable computers that track movement and time how long it takes to complete tasks with RFID and GPS.

The first RFID strike?

Some employee tracking has been found to be a clear violation of privacy, at least in Portugal. In 1997, the Portuguese courts tossed out a system for tracking employee bathroom time (see section 5.2) (sorry, link in portuguese). That system used magnetic cards and monitored the entrance and exits into bathrooms.

I have previously blogged about the WMATA Smartrip cards. These are RFID enabled platstic cards that are used in the DC metro system. These are different than the paper farecards which are normally discarded after several uses.

EPIC submitted a FOIA request for what sorts of data are kept, and confirmed that data is maintained is associated with the individual data, and is maintained for up to a year detailing entry and exit points and times.

They also got some information on what is done with the data. Included in the FOIA is some subpoenas for SmarTrip data. This ties in to EPIC’s comments on WMATA’s policy of disclosing this data. WMATA is working on their policy and has recently published a revised draft of their policy.

WMATA is proposing to allow law enforcement access to personally identifiable data without requiring a court order. Other than that, access to personally identifiable data is available via a court order or to the subject of the data. Notably, third parties cannot get the data even if they have permission of the subject to do so.

CISCO is offering a new RFID based wireless security solution: the Wireless Location Appliance 2700. It’s a server that can use your wireless network to track the location of all wi-fi equipment and active RFID chips within your network. The server can store the data and provide “trend” data for how stuff moves around. The launch touted the use of the server to monitor the movement of medical equipment in a hospital.

With the Cisco Wireless Location Appliance, doctors, nurses, and support staff can spend less time searching for equipment and more time providing patient care. High-end medical equipment scheduled for routine maintenance can now also be located in minutes not days

The privacy problem? This can pretty easily be used to track employees in the workplace, once they are given RFID-tagged badges. Trend analysis will tell us who is spending too much time in the bathroom, or with other employees. Historical data will let an employer track who has been in the same room as the pro-union members of their workforce.

Retailing for 15K ought to slow the deployment of this technology as an employee tracker. But these prices won’t last, and to some employers, 15K might be worth it to monitor several hundred employees.

Congress is putting the finishing touches on the REAL ID act. Bruce Schneier has a rundown of its privacy and security implications. One of them is the national mandate that all driver’s licenses have machine readeable techonology.

The fear is that this will morph into a requirement or a defacto implementation of RFID in driver’s licenses.

Engadget has more.

I recently came across two articles that could serve as a beginning of an exploration of the differences in how the US and the EU approach the issues of RFID privacy: FTC Asks RFID Users to Self-Regulate, and Privacy Laws: Europe Protects Against RFID Abuses.

The US approach right now is one of “self-regulation.” Which appears to mean that people who deploy RFID in a consumer setting will make their own decisions about consumer’s privacy. This could just mean that the FTC is happy with what they see happening right now, given the low deployment rates, rather than it meaning that they don’t care to ever regulate to protect consumer’s privacy.

The US approach also seems to ignore the promiscuity feature of RFID tags — that many will be able to be scanned by anyone and will respond to any scan, not just those of the manufacturer:

The agency has also concluded that many of the potential privacy issues associated with RFID are inextricably linked to database security. Companies using RFID to collect and augment personal consumer data must therefore adhere to existing FTC guidelines on implementing reasonable and appropriate measures to protect that data.

I must admit I don’t know much about what those FTC guidelines on implementing reasonable and appropriate measures to protect that data mean right now. But we can take from this that it doesn’t appear that the FTC is too concerned with people other than the deployer of the RFID tags reading them. Reading the tags and making their own data collection or other conclusions based upon the presence of the tags on a consumer or products.

The EU article didn’t address this specific point, but it does have regulators providing minimum requirements before widespread adoption by industry:

Under European law, any company that uses RFID must notify the consumer the tag is on the product and provide details on how to discard the tag and access the information held on it. The company must also disclose how any information will be collected and used.

This doesn’t address third party reading of tags (other than by giving notice to consumers of the tags and it’s information) but does go towards providing some minimum standards that companies have to follow towards alerting consumers. My guess is this will provide a good incentive for consumers to demand better regulation — whether government imposed or self imposed. Consumers on notice will be able to exert both public and market power to control the information they create and is gathered on them via RFID on consumer products.

UPDATE. Here’s another article I just ran into about the US approach: Rep. Senators Vow to Protect RFID.

A group of Republican U.S. Senators said they will work to ensure that RFID deployments stay free of regulation, according to a new policy platform that has already won the support of RFID, technology and retail organizations while drawing concern from privacy groups.

So its not just the FTC that believes in “self regulation.” It’s also the GOP technology folks, which probably means that there is no chance for any RFID regulation in this Congress.

UPDATE II. Just in time for this piece, here is a recent EPIC report: Privacy Self Regulation: A Decade of Disappointment. Citing the success of the Do-Not-Call Registry:

FTC’s success in the telemarketing field demonstrates that it can protect Americans’ privacy effectively and fairly. However, telemarketing was a 20th century problem. This report argues that it is time for the agency to move into the 21st century. It is time for the agency to apply the principles of telemarketing privacy regulation into the online world.

Here’s an SD card RFID reader. Fits right onto your Palm or Laptop. Can even write to RFID chips. Thankfully, its a thousand bucks and only has a 7cm range. So not quite consumer level, and not quite able to take advantage of ubiquitous chips.

Most people agree that ubiquitous and promiscuous RFID chips are coming to the market. Some say they’re going to stay out of the consumer market, operating just for supply chains. While others say that it will reach consumers and thus the general population.

As I’ve mentioned before, a lot of the discussion of RFID threats to privacy and information safety are premised on a certain hierarchy of the RFID landscape: Ubiquitous chips being watched by fewer readers in the hands of ‘larger’ institutions — retailers, marketers, government entities.

This article on RFID adoption expectations in the UK contains an interesting quote:

“Nokia for example are making significant progress in the area of Near Field Communications and can already produce cheap mobile RFID readers for around $700, but prices will inevitably come down quickly as they move this technology into the mass product market. This will enable you to “touch” a poster of Kylie with your RFID enabled phone to download information and music. People will be able to use their phones in many more ways from checking whether an item is in a shop stockroom to using web services to finding more information about products.”

While 700 bucks is a lot of money, that clearly is going to drop. And these people at least are expecting RFID readers to reach the consumer level. So we can expect that it’s not going to be just institutions that are going to be capturing the data given off by an individual’s RFIDs, but other individuals as well. Thus concerns about RFID privacy aren’t going to be properly addressed simply by regulating or watchdogging business privacy policies and practices.

This article gives a brief overview of some of the current and possible legal protections afforded to consumers in an RFID infested environment. They recommend amending the wiretap act, to cover interceptions of RFID transmissions:

In essence, this act prohibits any person from intentionally intercepting, or endeavoring to intercept wire, oral or electronic communications by using an electronic, mechanical or other device unless the conduct is specifically authorized or expressly not covered.
Although wiretapping is not identical to RFID, it shares an abundance of similarities that may carry over to RFID technology.

Another source of protection they point to is contract law. Consumers with tags will generally be entering into contractual relations with the merchants/providers of the tags. This probably does not protect consumers from third-party use of the tags though. I’m not too sure about this, but I believe that the privacy torts and protections only protect people where they have a ‘reasonable expectation of privacy’ and this ‘reasonable expectation’ can’t be formed solely by contracting for privacy. I’ll have to double check that.

The article also points to the Federal Trade Commission’s Fair Information Practice Principles. I don’t think these have legal force, or even if they create a private cause of action (rather than simply being something that only the FTC will enforce).

Lastly the article points to the law enfocement/search uses of RFID. They don’t say much here, but my belief is the law is guided by the ‘reasonable expectation of privacy’ standard.

I have heard that in general the EU has stronger privacy laws than here in the US. Some regimes hold that consumer data belongs to the consumer, the subject of the data, rather than to the corporate entitity that has collected the data. I don’t know exactly how that plays out, but looks to be an interesting topic for a future post.

They do seem to be looking closely at RFID: The European Union Works Out RFID Privacy Legislation. Two concerns appear to be individual geographic tracking and proper security of environmentally promiscuous technology, and they seem to be placing some of the responsibility for these features with the manufacturers and researchers.

The new working group says it has found other issues with regard to RFID that need to be addressed. RFID technology increases the potential for direct marketing with item-level tagging, since shoppers could be recognized and their movements tracked while in stores, according to the group.
Another concern for the EU working group is the use of applications that link an RFID-enabled plastic card with a consumer’s bank-account number to enable payment processing, similar to a credit card, without having to swipe the magnetic strip.
Manufacturers of RFID equipment and applications should be held equally responsible for building tags, readers, and printers that protect consumers’ right to privacy, the document states.

They reference other potential issues in the article.

The article also discusses an EU Working Paper. The English PDF is here.